Bug#850713: linux-image-4.8.0-0.bpo.2-amd64: can't mount NFS shares via nfs referrals

[Christoph Martin <martin@uni-mainz.de>]

Package: src:linux
Version: 4.8.11-1~bpo8+1
Severity: important

after upgrading from kernel 4.7 to 4.8 nfs mounts of shares with
group permissions (on a Netapp filer) via a nfs referral server
are not anymore mountable using nfs4.1 and kerberos.

This seams to be caused by the following upstream patch to VFS:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8-rc1&id=a867d7349e94b6409b08629886a819f802377e91

We verified the problem by applying the patch to a 4.7 kernel.

In our setup we have several thousand user and group directories/shares on
multiple Netapp filers which get mapped into a unique filespace via an
NFS referral server.

With kernels up to 4.7 on login of a user the respective home directory was
mounted with the kerberos ticket of the user from kernel automounter.
The group
directories were also automatically mounted via kernel automounter. With
kernel
4.8 all shares where the user has explicit rights are mountable
(e.g. home directory) but not the group accessable directories.

This seams to be caused by the stricter checks in VFS layer, which might
be good for local filesystems but apparently not for NFS, where the remote
side is responsable for the access check.

Regards
Christoph

-- Package-specific info:
** Version:
Linux version 4.8.0-0.bpo.2-amd64 (debian-kernel@lists.debian.org) (gcc
version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Debian 4.8.11-1~bpo8+1 (2016-12-14)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.8.0-0.bpo.2-amd64
root=UUID=d1eed7d2-f499-4d04-955d-dc98004a9cc9 ro

** Tainted: E (8192)
 * Unsigned module has been loaded.

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information
sys_vendor: Microsoft Corporation
product_name: Virtual Machine
product_version: 7.0
chassis_vendor: Microsoft Corporation
chassis_version: 7.0
bios_vendor: American Megatrends Inc.
bios_version: 090006
board_vendor: Microsoft Corporation
board_name: Virtual Machine
board_version: 7.0

** Loaded modules:
des_generic(E)
cbc(E)
nfsd(E)
nfs_acl(E)
rpcsec_gss_krb5(E)
auth_rpcgss(E)
nfsv4(E)
dns_resolver(E)
nfs(E)
lockd(E)
grace(E)
sunrpc(E)
fscache(E)
sb_edac(E)
edac_core(E)
crct10dif_pclmul(E)
crc32_pclmul(E)
serio_raw(E)
ghash_clmulni_intel(E)
hv_balloon(E)
pcspkr(E)
hyperv_keyboard(E)
i2c_piix4(E)
hyperv_fb(E)
hv_utils(E)
acpi_cpufreq(E)
tpm_tis(E)
tpm_tis_core(E)
tpm(E)
button(E)
evdev(E)
joydev(E)
loop(E)
fuse(E)
autofs4(E)
ext4(E)
crc16(E)
jbd2(E)
fscrypto(E)
mbcache(E)
dm_mod(E)
sg(E)
sd_mod(E)
ata_generic(E)
crc32c_intel(E)
hid_generic(E)
hv_netvsc(E)
hid_hyperv(E)
hid(E)
hv_storvsc(E)
scsi_transport_fc(E)
aesni_intel(E)
aes_x86_64(E)
glue_helper(E)
lrw(E)
gf128mul(E)
ablk_helper(E)
cryptd(E)
ata_piix(E)
fjes(E)
floppy(E)
libata(E)
psmouse(E)
hv_vmbus(E)
scsi_mod(E)

** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440BX/ZX/DX -
82443BX/ZX/DX Host bridge (AGP disabled) [8086:7192] (rev 03)
        Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0

00:07.0 ISA bridge [0601]: Intel Corporation 82371AB/EB/MB PIIX4 ISA
[8086:7110] (rev 01)
        Subsystem: Microsoft Corporation Device [1414:0000]
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0

00:07.1 IDE interface [0101]: Intel Corporation 82371AB/EB/MB PIIX4 IDE
[8086:7111] (rev 01) (prog-if 80 [Master])
        Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0
        Region 0: [virtual] Memory at 000001f0 (32-bit,
non-prefetchable) [size=8]
        Region 1: [virtual] Memory at 000003f0 (type 3, non-prefetchable)
        Region 2: [virtual] Memory at 00000170 (32-bit,
non-prefetchable) [size=8]
        Region 3: [virtual] Memory at 00000370 (type 3, non-prefetchable)
        Region 4: I/O ports at ffa0 [size=16]
        Kernel driver in use: ata_piix

00:07.3 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI
[8086:7113] (rev 02)
        Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Interrupt: pin A routed to IRQ 9

00:08.0 VGA compatible controller [0300]: Microsoft Corporation Hyper-V
virtual VGA [1414:5353] (prog-if 00 [VGA controller])
        Control: I/O+ Mem+ BusMaster+ SpecCycle+ MemWINV+ VGASnoop-
ParErr- Stepping- SERR+ FastB2B- DisINTx-
        Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0
        Interrupt: pin A routed to IRQ 11
        Region 0: Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
        [virtual] Expansion ROM at 000c0000 [disabled] [size=128K]
        Kernel driver in use: hyperv_fb


** USB devices:
not available


-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (700, 'stable-updates'), (700, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-4.8.0-0.bpo.2-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.120+deb8u2
ii  kmod                                    18-3
ii  linux-base                              4.3~bpo8+1

Versions of packages linux-image-4.8.0-0.bpo.2-amd64 recommends:
ii  firmware-linux-free  3.3
ii  irqbalance           1.0.6-3

Versions of packages linux-image-4.8.0-0.bpo.2-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-pc                 2.02~beta2-22+deb8u1
pn  linux-doc-4.8           <none>

Versions of packages linux-image-4.8.0-0.bpo.2-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

-- 
============================================================================
Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: martin@uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)

begin:vcard
fn:Christoph Martin
n:Martin;Christoph
org;quoted-printable;quoted-printable:Johannes Gutenberg-Universit=C3=A4t Mainz;Zentrum f=C3=BCr Datenverarbeitung
adr:;;Anselm Franz von Bentzel-Weg 12;Mainz;Rheinland-Pfalz;55128;Germany
email;internet:martin@uni-mainz.de
title:Leiter Unix-Systeme
tel;work:+49-6131-3926337
tel;fax:+49-6131-3926407
tel;cell:+49-179-7952652
x-mozilla-html:FALSE
version:2.1
end:vcard

Attachment: signature.asc
Description: OpenPGP digital signature